Online gambling firm Betfair admitted today it had not informed its customers that the details of millions of credit cards were stolen in a major cyber-attack 18 months ago.
More than 3.1 million account names with encrypted security questions, 2.9 million usernames, and nearly 90,000 account usernames with bank account details were stolen in an attack in March last year.
Betfair said it did not inform its registered customers of the attack as its security measures made the data unusable for fraudulent activity and it was able to recover the data intact.
A report commissioned into the theft, seen by the Daily Telegraph, was published on September 27 last year - six days after Betfair announced its intention to float on the London Stock Exchange.
Details of the attack come after Japanese computer games giant Sony revealed it had suffered two massive attacks on its Playstation network, in which the data of around 100 million users were stolen.
A Betfair spokesman said it decided not to disclose the attack, which it reported to the UK's Serious Organised Crime Agency, as it determined it was not going to impact customers.
A review of security has been concluded since the attack, he added, and Betfair's systems have been strengthened so they now conform with best practice guidelines on the protection of customer details.
He said: "We have subsequently implemented all of the recommendations from the independent reports we commissioned and have done everything we can to minimise the risk of this happening again."
Betfair confirmed it did not discover the cyber attack, believed to be from criminals based in Cambodia, until two months after it happened when a server at its Malta data centre crashed. In total, nine servers in the UK and two in Malta were affected.
As well as Soca, the group said it had also contacted the Australian Federal Police and German authorities over the attack.
Betfair's share price has fallen 41% since it listed at 1300p last October as revenue growth has been lower than expected, while it has also suffered a string of management departures, regulatory problems and a poor performance from its start-up LMax financial exchange.
Chief executive David Yu and chairman Edward Wray have both recently indicated they will stand down. Mr Yu, who was the company's former chief technology officer prior to taking over as chief executive, said in June he would not renew his contract when it expires in October 2012.
This month, Edward Wray also said the group was looking for a deputy chairman who could take over his role at the appropriate time. Betfair shares today rose 1.5%.
Nick Pickles, director of civil liberties and privacy campaign group Big Brother Watch, said: "This is nothing short of a scandal. For the personal details of millions of customers to be lost is one thing - but to then fail to inform those affected is outrageous.
"Whoever made the decision to sacrifice the financial security of millions of people for the sake of Betfair's reputation should resign immediately.
"Big Brother Watch has continued to highlight how the regulation of personal data in the UK is dangerously lacking. This incident reaffirms the need for more severe penalties for individuals and companies who do not fulfil their responsibility to protect personal information."